Description

Under Texas Administrative Code §202.74, Institution Information Security Program, the university shall implement an information security program that includes protections, based on risk, for all information and information resources against unauthorized access, use, disclosure, modification, or destruction, including assuring the availability, confidentiality, and integrity of information.

Applicability

  • This Control applies to all information and information resources owned, leased, or under the custodianship of any unit or employee of the university, including resources outsourced to another institution, contractor, or other source such as cloud computing.

  • This Control provides the minimum standards for Texas A&M’s information security program in accordance with the state’s Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202) and other applicable requirements.

Implementation

  • 1

    TEXAS A&M INFORMATION SECURITY PROGRAM AND PLANS

    • 1.1

      It is the university’s responsibility to develop, document and implement an information security program to protect the university’s information and information resources, as approved by the university President or designee. The university’s information security program must contain the elements required by TAC 202, including but not limited to the following:

      • 1.1.1

        The approved program plan should be reviewed and updated annually taking into account changes in business, technology, threats, incidents, risk assessments, and university mission.

  • 2

    INFORMATION SECURITY RESPONSIBILITY AND ACCOUNTABILITY

    • 2.1

      Chief Information Security Officer (CISO). The university President, or designee, is responsible for designating a Chief Information Security Officer who has the explicit authority and duty to administer the information security requirements of TAC 202 across the institution. The CISO shall fulfill the detailed responsibilities established by TAC 202, including providing required reports to the President or designee and/or DIR.

    • 2.2

      Information Owners. University information owners shall fulfill the detailed responsibilities established by TAC 202, and the CISO; and the CISO will help ensure that information owners have appropriate training, standards, guidance, and assistance to comply with these responsibilities. Significant information owner responsibilities include, but are not limited to:

      • 2.2.1

        Inventory and classify information under their authority according to Security Control RA-2, Security Categorization.

      • 2.2.2

        Perform the risk assessments provided in Section 3, including identify, recommend, and document acceptable risk levels for information resources under their authority.

    • 2.3

      Information Custodians. University information custodians shall fulfill the detailed responsibilities established by TAC 202, and the CISO. Information owners will help ensure that information custodians have appropriate training, standards, guidance and assistance to comply with these responsibilities. Significant information custodian responsibilities include, but are not limited to:

      • 2.3.1

        Implement approved controls and access to information resources under their care; and

      • 2.3.2

        Adhere to information security policies and procedures to manage risk levels for information resources.

    • 2.4

      Users of Information Resources. Users of university information resources shall fulfill the detailed responsibilities established by TAC 202, including but not limited to:

      • 2.4.1

        Use the information resources only for the purpose(s) specified by the university or information owner;

      • 2.4.2

        Comply with information security controls, system standards, and applicable university guidelines or standards to prevent unauthorized or accidental disclosure, modification, or destruction; and

      • 2.4.3

        Formally acknowledge that they will comply with university information security requirements in a method determined by the President or designee.

      • 2.4.4

        Users of system or member information resources who fail to comply with these university information security requirements are subject to disciplinary action, up to and including termination of employment.

  • 3

    ANNUAL RISK ASSESSMENT

    • 3.1

      The university shall annually conduct and document an information security risk assessment as required by TAC 202 utilizing the Information Security Risk Assessment Procedures (ISRAP). These assessments shall be presented to the President or designee. The purpose of the annual risk assessment is to identify, evaluate, and document the level of impact on the university’s mission, functions, image, reputation, assets, or individuals that may result from the operation of the university’s information systems.

  • 4

    SECURITY AWARENESS EDUCATION AND TRAINING

    • 4.1

      The university shall deliver information security awareness training for all users (See Control AT-2, Security Awareness Training).